• Security Advisory YSA-2025-02

    Security Advisory YSA-2025-02 – FIDO PIN/UV Auth Protocol Two Out of Conformance

    Published Date: 2025-04-02
    Tracking IDs: YSA-2025-02
    CVE: CVE-2025-29991
    CVSS: 2.2

    Summary

    A low severity issue has been identified in YubiKeys versions 5.4.1 through 5.7.3 in the FIDO CTAP PIN/UV Auth Protocol Two implementation. These YubiKey versions use the 16 byte signature length from CTAP PIN/UV Auth Protocol One during the verification step, even when the 32 byte CTAP PIN/UV Auth Protocol Two signature was expected. This issue is addressed in YubiKey version 5.7.4. 

    Exploiting this issue would be difficult as there are additional protections in the protocol and the signature length from CTAP PIN/UV Auth Protocol One still provides significant security control. Due to the level of effort required to exploit this issue, existing mitigations on both the YubiKey and in the FIDO protocol, this is a low severity issue.

    For more details see Issue Details section below.

    Affected Devices

    YubiKey 5 Series versions 5.4.1 through 5.7.3

    YubiKey 5 FIPS Series versions 5.4.1 through 5.7.3

    YubiKey 5 CSPN Series version 5.4.2

    YubiKey Bio Series versions 5.5.0 through 5.7.3

    Security Key Series versions 5.4.1 through 5.7.3

    Not Affected Devices

    YubiKey 5 Series versions 5.4.0 and older and versions 5.7.4 and newer

    YubiKey 5 FIPS Series versions 5.7.4 and newer

    YubiKey Bio Series versions 5.7.4 and newer

    Security Key Series all versions 5.4.0 and older and versions 5.7.4 and newer

    All YubiHSM 2 versions

    All YubiHSM 2 FIPS versions

    How to Tell if You Are Affected

    To identify the YubiKey, use Yubico Authenticator to identify the model and version of the YubiKey. The series and model of the key will be listed in the upper left corner of the Home screen. In the following example, the YubiKey is a YubiKey 5C NFC version 5.7.0.

    Yubico Authenticator

    Customer Actions

    Mitigation

    To help avoid local and physical threats, users should continue to exercise due diligence when installing software on their devices and maintain control of YubiKeys.

    Issue Details

    FIDO implementations consist of a Relying Party (e.g. website), Client (browser/operating system), and Authenticator (e.g. security key). PIN/UV Auth Protocol is a CTAP mechanism for performing PIN authentication between Client and Authenticator without exchanging the PIN in cleartext.

    As part of the verification step of PIN/UV Auth Protocol (see verify(key, message, signature) in this section of the CTAP PIN/UV Auth Protocol definition), an HMAC-SHA-256 signature must be sent by the platform to the authenticator with each command where user verification is to be performed. This signature must be 16 bytes long in PIN/UV Auth Protocol One and 32 bytes long in PIN/UV Auth Protocol Two.

    Affected versions of the YubiKey verify 16 bytes of the signature regardless of which version of the protocol is being used.

    Severity

    Yubico has rated this issue as Low. It has a CVSS score of 2.2

    Timeline

    October 22, 2024Yubico informed by Robby Cornelissen, Head of Research at International Systems Research Co. (isr.co.jp)
    April 01, 2025YubiKey 5.7.4 release available
    April 02, 2025Yubico releases advisory YSA-2025-02